Cryptolocker Ransomware Encrypts Your Files Permanently

If you follow the Boxaid Blog and are one of our loyal customers you have heard us talk about ransomware before. It’s a newer category of malware that focuses on getting your money through extortion. This trend is unfortunately growing as we can see from the infected computers of our customers.

The Trend of Growing Ransomware

At Boxaid we first started seeing the trend with non destructive ransomware where your computer gets infected and it becomes unusable until you pay the author of the malware a fee usually in the range of $100. Well, these are what we call non destructive malware like the popular FBI virus.
That’s because the technical experts at Boxaid use our special techniques and tools to remove the ransomware and your computer is back to normal. This is not the case with a new piece of ransomware called Crypto locker.

How Crypto Locker Works

Crypto Locker is considered a destructive piece of ransomware because it essentially makes your critical files inaccessible. We have certainly seen some malware do this in the past but it is NOT extremely common. Most of the time malware does not destroy your data. It makes several attempts to make money off the end user usually in a more passive way. It’s just not nice to actually destroy your data. In our opinion a certain line is being crossed by malware writers when they start destroying user’s data such as unrecoverable pictures, financial data, etc. It’s simply bad form.

Crypto Locker, also known as crilocker or crilock by some other anti-virus vendors usually uses social engineering to get the end user to click something such as an email with an attachment or a link in an email. Once you have done this initial click, then you have officially installed the malware. Here is an example of one of the many emails of how the virus can arrive:[hr]

From: Xerox WorkCentre [Xerox.Device0@[OUR DOMAIN]]

Sent: Thursday, September 26, 2013 11:23 AM

To: [OUR INFECTED USER]

Subject: Scanned Image from a Xerox WorkCentre

Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.

[hr]
From there the ransomware finds all your personal files based on extension. Things such as your pictures, documents and spreadsheets are targeted. These files can be local on your C: drive or on a network drive. It then uses a private encryption key to begin encrypting all your files. This means your files are still there but they can no longer be read by you without this special key to descramble them.

You then get a pop up message with a countdown that gives you a few hours to pay the ransom to the malware author. Initial reports of this infection were asking for $100. But the newer versions of the infection in the last seven days have been asking for $300. So what happens if you don’t pay? You will not be able to recover your files or access them ever again. At Boxaid we have removed this ransomware a few times and even after we remove the malware your files are still encrypted. That’s what makes this malware unique. Most other malware we remove there is little negative impact after it is removed. This is not the case with crilocker.

How to Avoid Crypto Locker Infection

Unfortunately, this new ransomware is going to be a growing trend. These malware authors are setting a precedent which will be followed by others. Of course to avoid this infection you do not want to get infected in the first place. We think these techniques are obvious but they still are worth mentioning:

1. DON’T click anything unless you know what it is. In the case of Crypto Locker every customer we spoke to said they got it from an email disguised as coming from the US Postal Service.
2. If you get an email from ANYONE with an attachment do not open it unless you unconditionally trust that sender.
3. Use a web browsing plugin like McAfee Siteadvisor which analyzes the reputation of sites you are going to.
4. DON’T click on links that seem to good to be true like “How to Make Money”, “How to Speed Up Your Computer”, etc.

How to Remove Crypto Locker Ransomware

If you already did one of these things and you are infected it may be too late. In the case of your typical malware infection try the most popular anti-virus products to remove the infection. We have had pretty good luck removing it with Malware Bytes and if that fails we are removing it manually. Of course you can also call the virus removal experts at Boxaid as well. In the case of Crypto Locker you may have to resort to restoring your files from backup if you choose to not pay the $100 to $300 ransom. Believe it or not, the ransomware does decrypt the files if you are willing to pay the ransom in all the cases we have seen so far. Of course this is no guarantee from the malware author.

There is also a long shot that we have tried that may work if you are running Windows Vista/7/8. By default they have System Protection turned on which is the functionality used to manage your system restore points. There is a hidden little feature from Windows called “restore previous version” which maintains a few copies of your data files in case you make a mistake and want to go back to a previous version. The catch is your system protection must be on and enabled for this to have been making previous version copies for you BEFORE the files were encrypted. You can then use a utility called shadowexplorer to view the different versions of your files. Check out shadowexplorer for more info.

Update 9-20-2013

Great news! The last few cases that have come into Boxaid we have had success in removing the ransomware and bringing back the end users files. Big thanks to Dave M. who let us spend several hours working on his infected PC until we were able to bring back four gigs and 7 years of pictures and documents. Takes a bit of patience but it can be done. Give us a call at the toll free number in the upper right if you need help removing the malware.

Update 9-30-2013

Many people are calling Boxaid hoping for a miracle because all their personal files are encrypted. We can NOT decrypt the files but we can restore them if you meet the criteria below. The virus uses asymmetric key encryption which means you must have the private key to decrypt the files. This key is only located on the hacker’s server which is impossible to obtain. In the past with some other encryption malware files could be decrypted because the other author left the private key in the registry locally. This is not the case with this ransomware which is what makes it very unique. If you don’t meet the criteria below then unfortunately you are out of luck. You can either take the risk and pay the ransom to the malware author, or restore your files from a good backup. You can read this post at Bleeping Computer for more great info.

We can only help if:

You are using Windows 7/Vista/Windows 8 (We can’t help if you have Windows XP)

You have system restore enabled which is the default setting in Windows

All your encrypted files are on the LOCAL hard drive

We CAN NOT help you if:

If you are running Windows XP

If your encrypted files are located on ANY network share.

You have disabled system restore points.

Update 10-09-2013

Yes the virus Crytpolocker is in full swing and we are guessing that there are newer versions coming out every 3 days to avoid anti-virus vendors. We are basing this on the readership of this article as we see huge spikes in visitors every 3 days or so. Victims are all over the world especially the United States. We are still hearing reports of people paying the ransom and yes they are getting their files decrypted as promised by the malware authors. Many people are still calling Boxaid hoping for some kind of decryption tool. As previously stated there is no actual way to decrypt your files only to restore them from previous versions if you meet the requirements above. It is UNLIKELY that someone will develop a decryption tool because they authors are using encryption that requires a private key which can only be found on the malware author’s server which is impossible to obtain at this time. The only thing end users can do is to AVOID the infection in the first place. We can assure you its much easier to avoid the infection than clean it. Take a look at this post to see the most common infection methods so you can avoid them.

Update 11-15-2013

Wow. This is hands down, the most damaging piece of malware we have ever seen at Boxaid and we have been in the computer security space for over 15 years. We are still receiving a ton of traffic to this blog post and there are countless other websites significantly larger than us that have detailed blog posts with over 300,000 views that cover Crypto Locker. By our best estimates there are over 500,000 infections (maybe as high as one million) all over the world with each infection attempting to collect $300 from the end user. So if only 10% of the 500k users paid the malware writers to get their files back that is 1.5 million dollars! As we state below, this is a significant change to traditional malware/ransomware. This is step one in an evolution that we will see over the next few years in the ransomware industry.